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ABSTRACT 


In  a  binary-search  algorithm  for  the  computation  of  a  numerical  function,  the  interval  in 
which  the  desired  output  is  sought  is  divided  in  half  at  each  iteration.  fiFh&paper  considers 
how  such  algorithms  might  be  derived  from  their  specifications  by  an  automatic  system 
for  program  synthesis.  The  derivation  of  the  binary-search  concept  has  been  found  to 
be  surprisingly  straightforward.  The  programs  obtained,  though  reasonably  simple  and 
efficient,  are  quite  different  from  those  that  would  have  been  constructed  by  informal 
means. 


Key  Words:A  program  synthesis;  theorem  proving:  binary  search,  real  square  root,  lam  bo 
function.  •-  .i.  ...  ,  .  r  .  . 
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1.  INTRODUCTION 


Some  of  the  simplest  efficient  algorithms  for  the  computation  of  numerical  functions  rely 
on  the  notion  of  binary  search:  according  to  this  technique,  the  interval  in  which  the 
desired  output  is  sought  is  divided  in  half  at  each  iteration  until  it  is  smaller  than  a  given 
tolerance. 

For  example,  let  us  consider  the  following  program  for  finding  a  real-number  approx¬ 
imation  to  the  square  root  of  a  nonnegative  real  number  r.  The  program  sets  r  to  be 
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within  a  given  positive  tolerance  c  less  than  y/r . 

z  *-  0; 

v  <—  max(r,  1); 

while  e  <  v  do  v  <—  v/2\ 

if  [z  +  o]2  <  r  then  z  *—  z  +  v; 

retum(z) 

This  is  a  classical  square-root  program  based  on  that  of  Wensley  [59].  The  program 
establishes  and  maintains  the  loop  invariant  that  z  is  within  v  less  than  y/r,  i.e.,  that 
x/r  belongs  to  the  half-open  interval  [z,  z  +  v).  At  each  iteration,  the  program  divides 
this  interval  in  half  and  tests  whether  y/r  is  in  the  right  or  left  half,  adjusting  z  and 
v  accordingly,  until  v  is  smaller  than  the  given  tolerance  e.  The  program  is  reasonably 
efficient;  it  terminates  after  fiog2(mai(r,  l)/c)]  iterations. 

Analogous  programs  provide  an  efficient  means  of  computing  a  variety  of  numerical 
functions.  It  is  not  immediately  obvious  how  such  programs  can  be  developed  by  au¬ 
tomatic  program-synthesis  systems,  which  derive  programs  to  meet  given  specifications. 
Some  researchers  (e.g.,  Dershowitz  and  Manna  [77],  Smith  [85])  have  suggested  that  syn¬ 
thesis  systems  be  provided  with  several  general  program  schemata,  which  could  be  spe¬ 
cialized  to  fit  particular  applications.  Binary  search  would  be  one  of  these  schemata.  The 
system  would  have  to  determine  which  schema,  if  any,  is  applicable  to  a  new  problem. 


It  may  indeed  be  valuable  to  provide  a  synthesis  system  with  general  schemata,  but 
this  approach  leaves  open  the  question  of  how  such  schemata  are  discovered  in  the  first 
place.  To  our  surprise,  we  have  found  that  the  concept  of  binary  search  emerges  quite 
naturally  and  easily  in  the  derivations  of  some  numerical  programs  and  therefore  does  not 
need  to  be  built  in.  The  programs  we  have  obtained  in  this  way  are  simple  and  efficient, 
but  bizarre  in  appearance  and  quite  different  from  those  we  would  have  constructed  by 
informal  means. 


We  have  derived  the  programs  in  a  deductive  framework  (Manna  and  Waldinger 
[80])  in  which  the  process  of  constructing  a  program  is  regarded  as  a  task  of  proving  a 
mathematical  theorem.  According  to  this  approach,  the  program's  specification  is  phrased 
as  a  theorem,  the  theorem  is  proved,  and  a  program  guaranteed  to  meet  the  specification 
is  extracted  from  the  proof.  If  the  specification  reflects  our  intentions  correctly,  no  further 
verification  or  testing  is  required. 

In  this  paper  we  outline  our  deductive  framework  and  show  the  derivation  of  a  novel 
real-number  square-root  program,  emphasizing  the  emergence  of  the  binary-search  con¬ 
cept.  We  then  show  several  analogous  binary-search  derivations,  for  both  different  prob¬ 
lems  and  different  specifications  of  the  same  problem. 
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In  this  section  we  present  our  framework  briefly,  using  the  square-root  derivation  as  a 
continuing  example. 

We  begin  with  an  outline  of  the  logical  concepts  we  shall  need. 


LOGICAL  PREREQUISITES 

The  system  deals  with 

•  terms  composed  (in  the  usual  way)  of  constants  a,6,c,  . . . ,  variables 
u,v,w,  ...,  function  symbols,  and  the  conditional  term  constructor 
if-then-else. 

•  atoms  composed  of  relation  (predicate)  symbols,  including  the  equality 
symbol  =,  applied  to  terms,  and  the  truth  symbols  true  and  false. 

•  sentences  composed  of  atoms  and  logical  connectives. 

Sentences  are  quantifier-free.  An  expression  is  a  term  or  a  sentence.  An  expression  is 
said  to  be  ground  if  it  contains  no  variables.  We  sometimes  use  infix  notation  for  function 
and  relation  symbols  (for  example,  x  +  a  or  0  y).  Certain  of  the  symbols  are  declared 

to  be  primitive;  these  are  the  computable  symbols  of  our  programming  language. 

We  loosely  follow  the  terminology  of  Robinson  [79).  We  denote  a  substitution  6  by 
{ii  —  t\,i2  *-  to,  . . .  ,xn  —  tn }.  For  any  expression  e,  the  expression  eB  is  the  result  of 
applying  6  to  e,  obtained  by  simultaneously  replacing  every  occurrence  of  the  variable 
in  e  with  the  corresponding  term  ti.  We  shall  also  say  that  eB  is  an  instance  of  e. 

Let  e,  $,  and  t  be  expressions,  where  s  and  t  are  either  both  sentences  or  both  terms. 
If  we  write  e  as  e[s],  then  e[t]  denotes  the  result  of  replacing  every  occurrence  of  s  in  e[s] 
with  t.  Let  6  be  a  substitution.  Then  eB[t]  denotes  the  result  of  replacing  every  occurrence 
of  sB  in  eB  with  t. 

Variables  in  sentences  are  given  an  implicit  universal  quantification;  a  sentence  is  true 
under  a  given  interpretation  if  every  instance  of  the  sentence  is  true,  or.  equivalently,  if 
every  ground  instance  of  the  sentence  (i.e.,  an  instance  that  contains  no  variables)  is  true. 

We  now  describe  the  basic  notions  of  deductive  program  synthesis. 


SPECIFICATIONS  AND  PROGRAMS 


A  specification  is  a  statement  of  the  purpose  of  the  desired  program,  which  does 
not  need  to  indicate  a  method  of  achieving  that  purpose.  In  this  paper  we  consider  only  nt 
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DEDUCTIVE  TABLEAUX 


The  fundamental  structure  of  our  system,  the  deductive  tableau,  is  a  set  of  rows,  each 
of  which  must  contain  a  sentence,  either  an  assertion  or  a  goal,  any  of  these  rows  may 
also  contain  a  term,  the  output  entry.  An  example  of  a  tableau  follows: 


assertions 

goals 

outputs 
sqrt(r,  e) 

1.  0  <  r  and 

0  <  € 

2.  z2  <  r  and 

not  [( z  +  c)2  <  r] 

z 

3.  not  [e2  <  r] 

0 

Here  z  is  a  variable  and  r  and  e  are  constants. 

Under  a  given  interpretation  for  its  constant,  function,  and  predicate  symbols,  a 
tableau  is  true  whenever  the  following  condition  holds: 

If  all  instances  of  each  of  the  assertions  are  true, 
then  some  instance  of  at  least  one  of  the  goals  is  true. 

Equivalently,  the  tableau  is  true  if  some  instance  of  at  least  one  of  the  assertions  is  false 
or  some  instance  of  at  least  one  of  the  goals  is  true.  Thus,  the  above  tableau  is  true  if 
assertion  1, 

0  <  r  and  0  <  e, 

is  false  or  if  the  instance  (obtained  by  taking  2  to  be  0)  of  goal  2 

02  <  r  and 
not  [(0  +  f)2  <  r] 

is  true  (among  other  possibilities). 

In  a  given  theory,  a  tableau  is  said  to  be  valid  if  it  is  true  under  any  model  for  the 
theory.  In  the  theory  of  real  numbers,  the  above  tableau  is  valid,  since  it  is  true  under 
any  model.  For  either  assertion  1  is  false,  or  r  is  nonnegative  and  the  instance  of  goal  2 
obtained  by  taking  z  to  be  \fr  is  true.  . 

Under  a  given  interpretation  and  for  a  given  specification 

/(a)  <=  find  z  such  that  7v[a,  2] 
where  V[a\, 
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a  goal  is  said  to  have  a  suitable  output  entry  if,  whenever  an  instance  of  the  goal  is  true, 
the  corresponding  instance  t'  of  the  output  entry  will  satisfy  the  input-output  condition 

if  V[a\  then  TZ[a,  i'j. 

(If  the  goal  has  no  explicit  output  entry,  it  is  said  to  have  a  suitable  output  entry  if, 
whenever  an  instance  of  the  goal  is  true,  any  term  t'  satisfies  the  input-output  condition.) 
An  assertion  is  said  to  have  a  suitable  output  entry  if,  whenever  an  instance  of  the  assertion 
is  false,  the  corresponding  instance  t'  of  the  output  entry  will  satisfy  the  input-output 
condition. 

For  example,  in  the  theory  of  real  numbers,  consider  the  square-root  specification 

sqrt(r,  e)  <=  find  z  such  that 

z2  <  r  and  not  [(z  +  c)2  <  r] 
where  0  <  r  and  0  <  e. 

Under  any  model  for  the  theory,  the  output  entries  of  the  above  tableau  are  suitable 
for  the  square- root  specification.  In  particular,  if  some  instance  of  goal  2,  obtained  by 
replacing  z  with  a  term  s,  is  true,  then  s  will  satisfy  the  input-output  condition, 

if  0  <  r  and  0  <  e 

then  s2  <  r  and  not  [(s  +  c)2  <  r] . 

Also,  if  assertion  1,  which  has  no  output  entry,  is  false,  then  any  term  $  satisfies  the  above 
condition. 

Under  a  given  interpretation  J  and  for  a  given  specification,  two  tableaux  T\  and  7> 
have  the  same  meaning  if 

T\  is  true  under  J 
if  and  only  if 
7i  is  true  under  J 


and 


the  output  entries  of  T\  are  suitable 
if  and  only  if 

the  output  entries  of  7 \  are  suitable. 

In  a  given  theory  and  for  a  given  specification,  two  tableaux  are  equivalent  if,  under  any 
model  J  for  the  theory,  the  two  tableaux  have  the  same  meaning. 

We  shall  use  the  following  properties  of  a  tableau  (for  a  particular  theory  and  a 
particular  specification): 

•  Duality  Property 

Any  tableau  is  equivalent  to  the  one  obtained  by  removing  an  assertion  and  adding  its 
negation  as  a  new  goal,  with  the  same  output  entry.  Similarly,  any  tableau  is  equivalent 
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applicative  (or  functional)  programs,  which  yield  an  output  but  alter  no  data  structures 
and  produce  no  other  side  effects.  The  specifications  for  these  programs  have  the  form 

f(a )  «$=  find  2  such  that  H[a,  z ] 
where  V[a\. 

In  other  words,  the  program  /  that  we  want  to  construct  is  to  yield,  for  a  given  input  a, 
an  output  z  satisfying  the  output  condition  72[a,  z],  provided  that  the  input  a  satisfies  the 
input  condition  ^[a].  In  other  words,  z  is  to  satisfy  the  input-output  condition 

if  V[a]  then  lZ[a,  z). 

For  example,  suppose  we  want  to  specify  the  program  sqrt  to  yield  a  real  number  z 
that  is  within  a  given  tolerance  e  less  than  y/r ,  the  exact  square  root  of  a  given  nonnegative 
real  number  r.  Then  we  might  write 

sqrt(r,  c)  <?=  find  z  such  that 

z2  <  r  and  not  [(z  +  e)2  <  r] 
where  0  <  r  and  0  <  e. 

In  other  words,  we  want  to  find  an  output  z  satisfying  the  output  condition 
z2  <  r  and  not  [(z  +  e)2  <  r], 
provided  that  the  inputs  r  and  e  satisfy  the  input  condition 
0  <  r  and  0  <  e. 

The  above  square-root  specification  is  not  a  program  and  does  not  indicate  a  par¬ 
ticular  method  for  computing  the  square  root;  it  describes  the  input-output  behavior  of 
many  programs,  employing  different  algorithms  and  perhaps  producing  different  outputs. 
Of  course,  other  specifications  for  a  square-root  program  are  possible. 

The  programs  we  consider  are  sets  of  expressions  of  the  form 


fi{a )  ^  ti, 

where  t ,  is  a  primitive  term,  i.e.,  one  expressed  entirely  in  the  vocabulary  of  our  program¬ 
ming  language.  We  regard  the  input  a  as  primitive.  These  programs  can  be  mutually 
recursive;  i.e.,  we  also  regard  the  function  symbols  fi  as  primitive.  In  the  usual  way,  such 
a  program  indicates  a  method  for  computing  an  output. 

In  a  given  theory,  a  program  /  is  said  to  satisfy  a  specification  of  the  above  form 
if,  for  any  input  a  satisfying  the  input  condition  V[a\,  the  program  /(a)  terminates  and 
produces  an  output  t  satisfying  the  output  condition  7v[a,  t] .  The  problem  we  face  is  to 
construct  a  program  satisfying  a  given  specification. 
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to  the  one  obtained  by  removing  a  goal  and  adding  its  negation  as  a  new  assertion.  Thus, 
we  could  manage  with  a  system  that  has  no  goals  or  a  system  that  has  no  assertions,  but 
the  distinction  between  assertions  and  goals  does  make  derivations  easier  to  understand. 

•  Renaming  Property 

Any  tableau  is  equivalent  to  the  one  obtained  by  systematically  renaming  the  vari¬ 
ables  of  any  row.  More  precisely,  we  may  replace  any  of  the  variables  of  the  row  with 
new  variables,  making  sure  that  all  occurrences  of  the  same  variable  in  the  row  (including 
those  in  the  output  entry)  are  replaced  by  the  same  variable  and  that  distinct  variables 
in  the  row  are  replaced  by  distinct  variables.  In  other  words,  the  variables  of  a  row  are 
dummies  that  may  be  renamed  freely. 

•  Instance  Property 

Any  tableau  is  equivalent  to  the  one  obtained  by  introducing  as  a  new  row  any 
instance  of  an  existing  row.  The  new  row  is  obtained  by  replacing  all  occurrences  of 
certain  variables  in  the  existing  row  (including  those  in  the  output  entry)  with  terms. 
Note  that  the  existing  row  is  not  replaced;  the  new  one  is  simply  added. 


THE  DEDUCTIVE  PROCESS 

Consider  a  particular  theory  and  the  specification 

f(a)  <=  find  z  such  that  7£[a,  z] 
where  V[a\. 


We  form  the  initial  tableau 


Here  the  input  condition  V[a\  is  the  initial  assertion,  the  output  condition  7£[a,  r]  is  the 
initial  goal,  and  the  output  z  is  the  goal's  output  entry.  We  regard  the  input  a  as  a 
constant  and  the  output  z  as  a  variable.  We  may  also  include  in  the  initial  tableau  (as 
an  assertion)  any  valid  sentence  of  the  theory. 

Note  that  the  output  entries  of  this  tableau  are  suitable.  Under  any  model  for  the 
theory,  if  the  initial  assertion  V[a]  is  false,  then  any  output  satisfies  the  input-output 
condition  vacuously;  and  if  some  instance  7v[a,  <']  of  the  initial  goal  7v[a,  r]  is  true, 
the  corresponding  instance  t'  of  the  associated  output  entry  satisfies  the  input-output 
condition.  Furthermore,  the  valid  sentences  included  as  initial  assertions  cannot  be  false. 
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Example 


For  the  specification  of  the  real-number  square-root  program, 

sqrtfr ,  e)  •<=  find  z  such  that 

z2  <  r  and  not  [(r  +  c)2  <  r] 
where  0  <  r  and  0  <  c, 


we  form  the  initial  tableau 


assertions 

goals 

outputs 
sqrt(r,  e) 

1.  0  <  r  and  0  <  e 

2.  z2  <  r  and 

not  \{z  +  e)2  <  r] 

z 

Here  the  inputs  r  and  e  are  constants  and  the  output  z  is  a  variable.  We  may  also  include 
as  assertions  valid  sentences  of  the  theory  of  real  numbers,  such  as 


u2  =  u  ■  u 

o 

II 

o 

where  u  and  v  are  variables. 


J 


In  the  deductive  process,  we  attempt  to  show  that  the  initial  tableau  is  valid.  For 
this  purpose,  we  apply  deduction  rules  that  add  new  rows  without  changing  the  tableau's 
meaning  in  any  model  for  the  theory.  In  other  words,  under  a  given  model,  the  tableau 
is  true  before  application  of  the  rule  if  and  only  if  it  is  true  afterwards,  and  the  output 
entries  are  suitable  beforehand  if  and  only  if  they  are  suitable  afterwards.  Wre  describe 
the  deduction  rules  in  the  next  section. 

The  process  continues  until  we  obtain  either  of  the  two  rows 


true 

t 

false 

t 

where  the  output  entry  t  is  primitive,  i.e.,  expressed  entirely  in  the  vocabulary  of  our 
programming  language.  At  this  point,  we  derive  the  program 
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We  claim  that  t  satisfies  the  given  specification.  For,  in  applying  the  deduction  rules, 
we  have  guaranteed  that  the  new  output  entries  will  be  suitable  if  the  earlier  output  entries 
are  suitable.  We  have  seen  that  the  initial  output  entries  are  all  suitable;  therefore,  the 
final  output  entry  t  is  also  suitable.  This  means  that,  under  any  model,  if  the  final  goal 
true  is  true  or  the  final  assertion  false  is  false,  the  corresponding  output  entry  t  will  satisfy 
the  input-output  condition 

if  V[a]  then  7v[a,  t]. 


But,  under  any  model,  the  truth  symbols  true  and  false  are  true  and  false,  respectively, 
and  hence  t  will  satisfy  the  input-output  condition.  Therefore,  the  program  f(a)  <=  t  does 
satisfy  the  specification. 

For  example,  from  the  square-root  derivation  we  shall  obtain  the  program 


sqrt(r ,  e)  <= 


(if  max(r,  1)  <  e 
then  0 

else  if  [s(7rt(r,  2c)  +  c]2  <  r 
then  sqrt(r,  2c)  +  c 
else  sqrt(r ,  2c). 


(Actually  we  shall  obtain  a  slightly  different  program.)  Before  we  describe  the  deduction 
rules  of  our  system,  let  us  say  a  few  words  about  this  program.  This  will  help  the 
understanding  of  the  ensuing  derivation. 


DISCUSSION  OF  THE  PROGRAM 

The  program  first  checks  whether  the  error  tolerance  c  is  reasonably  small.  If  c  is 
very  big,  that  is,  if  max(r,  1)  <  c,  then  the  output  can  safely  be  taken  to  be  0.  For, 
because  0  <  r,  we  have 

02  <  r. 

And  because  max(r ,  1)  <  c,  we  have  r  <  c  and  1  <  c,  and  hence  r  <  c2  —  that  is, 
not  [(0  +  e)2  <  r] . 

Thus,  in  this  case,  taking  z  to  be  0  satisfies  both  conjuncts  of  the  output  condition 
z1  <  r  and  not  [(.?  +  c)2  <  r]. 

If  c  is  small,  that  is.  if  c  <  max(r ,  1),  the  program  finds  a  rougher  estimate  sqrt{r,  2c). 
which  is  within  2c  less  than  y/r,  the  exact  square  root  of  r.  In  other  words,  the  root  is 
within  the  half-open  interval  [sqrr<(r,  2c),  sqrt(r,  2c)  +  2e).  The  program  then  asks  whether 

[s<7r<(r,  2c)  +  c] '  <  r,  that  is.  whether  the  root  is  in  the  right  or  the  left  half  of  this  interval. 
The  situation  is  illustrated  below: 
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sqrt(r,  2c)  sqrt(r,  2c)  +  c  sqrt(r,2c)  +  2e 


If  the  root  is  in  the  right  half,  we  can  increase  our  rough  estimate  by  c,  for  sgrt(r,2e)-fe 
is  then  within  c  less  than  the  root.  On  the  other  hand,  if  the  root  is  within  the  left  half, 
we  can  leave  the  estimate  alone,  for  sqrt(r,  2c)  is  already  within  c  less  than  the  root. 

The  termination  of  the  program  may  seem  a  bit  problematic,  because  the  argument  c 
is  doubled  with  each  recursive  call.  However,  the  argument  r  is  unchanged  and  recursive 
calls  are  evaluated  only  until  mai(r,  1)  <  c,  so  there  is  a  uniform  upper  bound  on  these 
increasing  arguments. 

If  the  multiple  occurrences  of  the  recursive  call  sqrt(r,  2c)  are  combined  by  elimi¬ 
nating  common  subexpressions,  the  program  we  obtain  is  reasonably  efficient;  it  requires 
\log2(max(r,  l)/e)]  recursive  calls.  Furthermore,  the  resulting  program  is  of  “linear” 
form  and  may  be  transformed  into  an  iterative  equivalent  (Harrison  and  Khoshnevisan 
[86]). 

Our  final  program  is  somewhat  different  from  the  iterative  program  we  considered  in 
the  introduction.  The  iterative  program  divides  an  interval  in  half  at  each  iteration;  the 
recursive  program  doubles  an  interval  with  each  recursive  call.  Division  of  the  interval 
occurs  implicitly  as  the  recursive  program  unwinds,  i.e.,  when  the  recursive  calls  finally 
yield  output  values.  Our  program  may  actually  be  superior  if  doubling  a  real  number  is 
faster  than  halving  one. 

It  is  possible  to  obtain  a  version  of  the  iterative  program  by  formal  derivation  from 
the  specification  within  the  deductive- tableau  system.  Although  the  derivation  and  the 
resulting  program  are  more  complex  (the  program  requires  two  additional  inputs),  it  was 
this  more  complex  derivation  we  discovered  first,  as  we  were  already  familiar  with  the 
iterative  program. 

We  later  found  the  recursive  program  while  examining  the  consequences  of  purely 
formal  derivation  steps,  not  because  we  expected  them  to  lead  to  a  program,  but  because 
we  were  looking  for  strategic  considerations  that  would  rule  out  these  branches  of  the 
search  space.  When  we  examined  the  program  initially,  we  suspected  an  error  in  the 
derivation.  We  had  not  seen  programs  of  this  form  before,  and  we  certainly  would  not 
have  constructed  this  one  by  informal  means. 


THE  TRANSFORMATION  RULES 

We  now  begin  to  introduce  the  deduction  rules  of  our  system,  illustrating  them  with 
fragments  from  the  square-root  derivation.  Afterwards,  we  shall  review  the  entire  deriva¬ 
tion.  We  begin  with  the  simplest  of  the  rules. 


3.  Conditional  Formation  11 

The  transformation  rules  replace  subexpressions  of  an  assertion,  goal,  or  output  entry 
with  equal  or  equivalent  expressions.  For  instance,  with  the  transformation  rule 

V  and  true  — < •  V, 


we  can  replace  the  subsentence  ((/l  or  B )  and  true)  with  (/I  or  B)  in  the  assertion 


u  +  u  —  2  u, 

we  can  replace  a  subterm  (a  +  b)  +  (a  +  b)  with  the  term  2(a  +  6). 

We  use  an  associative-commutative  matching  algorithm  (Stickel  [81]),  so  that  the 
associative  and  commutative  properties  of  operators  can  be  taken  into  account  in  applying 
the  transformation  rules.  Thus,  we  can  use  the  above  rules  to  replace  a  subsentence 
( true  and  B)  with  the  sentence  B  and  the  subterm  (a  +  b)  +  b  with  the  term  a  +  2b. 

We  include  a  complete  set  of  true-false  transformation  rules,  such  as 

not  false  — *  true 

if  V  then  false  — *  not  V. 

Repeated  application  of  these  rules  can  eliminate  from  a  tableau  row  any  occurrence  of  a 
truth  symbol  true  or  false  as  a  proper  subsentence. 

The  soundness  of  the  transformation  rules  is  evident,  since  each  produces  an  expres¬ 
sion  equivalent  or  equal  (in  the  theory)  to  the  one  to  which  it  is  applied. 


3.  CONDITIONAL  FORMATION 

In  this  section  we  introduce  the  resolution  rule,  which  can  account  for  the  introduction  of 
the  conditional  ( if-then-else )  construct  into  the  derived  program. 


THE  RESOLUTION  RULE:  GROUND  VERSION 

The  resolution  rule  corresponds  to  case  analysis  in  informal  reasoning.  We  first 
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present  the  ground  version  of  the  rule,  which  applies  to  ground  gods,  i.e..  goals  with  no 
variables.  We  express  it  in  the  following  notation: 


assertions 

goals 

outputs 

/(a) 

r[P\ 

s 

Q[V\ 

t 

F[true\ 

if  V 

and 

then  s 

Q  [false] 

else  t 

In  other  words,  suppose  that  our  tableau  contains  two  ground  goals.  T  and  Q .  whose 
output  entries  are  s  and  t ,  respectively.  Suppose  further  that  T  and  Q  have  a  common 
subsentence  V.  Then  we  may  derive  and  add  to  our  tableau  the  new  goal  obtained  by 
replacing  all  occurrences  of  V  in  T  with  true,  replacing  all  occurrences  of  V  in  Q  with 
false,  and  forming  the  conjunction  of  the  results.  The  output  entry  associated  with  the 
derived  goal  is  the  conditional  term  whose  test  is  the  common  subsentence  V  and  whose 
t/ien-clause  and  else- clause  are  the  output  entries  s  and  t  for  T  and  Q.  respectively. 
Because  the  resolution  rule  always  introduces  occurrences  of  the  truth  symbols  true  and 
false  as  proper  subsentences,  we  can  immediately  apply  true-false  transformation  rules  to 
the  derived  goal. 


Example 


Suppose  our  tableau  contains  the  rows 


assertions 

goals 

outputs 
sqrt{  r.  ( ) 

max(r,  1 )  <  <  + 
— 

0 

not  mar(  r,  1 )  <  c  |~ 

if  [sqrt(  r.  2« )  +  «]*  <  r 
then  sqrU  r.  2t  1  +  c 
else  sqrt(r,'2<) 

These  goals  have  a  common  subsentence  marl  r.  II  <  > .  indicated  by  boxes  Therefore  we 
may  derive  and  add  to  our  tableau  the  new  goal 
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if  max{r ,  1)  <  c 

true  and 
not  false 

then  0 

else  if  [s?rf(r,  2c)  -1-  c]  *  <  r 

then  sqrt(r,  2c)  -I-  c 

else  sqrt(r ,  2c) 

By  application  of  transformation  rules,  this  goal  reduces  to 


if  mox(r,  1)  <  c 
then  0 

true 

else  if  [j^r((r,  2c)  +  c]2  <  r 
then  sqrt(r ,  2c)  +  c 
else  sqrt(r,  2c) 

Note  that,  because  we  have  derived  the  goal  (rue  with  a  primitive  output  entry,  this  could 
be  the  final  step  in  a  square-root  derivation.  (In  fact,  however,  this  will  not  be  the  final 
step  in  our  derivation  of  a  square-root  program.)  ^ 


If  one  of  the  given  goals  has  no  output  entry,  the  derived  output  entry  is  not  a 
conditional  term;  it  is  simply  the  output  entry  of  the  other  given  goal.  If  neither  given 
goal  has  an  output  entry,  the  derived  goal  has  no  output  entry  either.  We  do  not  require 
that  the  two  given  goals  be  distinct;  we  may  apply  the  rule  to  a  goal  and  itself. 

We  have  presented  the  resolution  rule  as  it  applies  to  two  goals.  According  to  the 
duality  property  of  tableaux,  however,  we  may  transform  an  assertion  into  a  goal  simply 
by  negating  it.  Therefore,  we  can  apply  the  rule  to  an  assertion  and  a  goal,  or  to  two 
assertions. 

The  resolution  rule  may  be  restricted  by  a  polarity  strategy ,  according  to  which  we 
need  not  apply  the  rule  unless  some  occurrence  of  V  in  T  is  “positive”  and  some  occurrence 
of  Pin  Q  is  “negative”.  (Here  a  subsentence  of  a  tableau  is  regarded  as  positive  or  negative 
if  it  is  within  the  scope  of  an  even  or  odd  number,  respectively,  of  negation  connectives  not. 
Each  assertion  is  considered  to  be  within  the  scope  of  an  implicit  negation;  thus,  while 
goals  are  positive,  assertions  are  negative.  The  i/-clause  V  of  a  subsentence  (i if  V  then  Q ) 
is  considered  to  be  within  the  scope  of  an  additional  implicit  negation.)  This  strategy 
allows  us  to  disregard  many  useless  applications  of  the  rule.  The  application  in  the 
previous  example  is  in  accordance  with  the  polarity  strategy;  the  boxed  subsentence  is 
positive  in  the  first  goal  and  negative  in  the  second,  as  indicated  by  the  annotation. 

Let  us  show  that  the  resolution  rule  is  sound:  that  is.  in  a  given  model  of  the  theory 
and  for  a  given  specification,  the  meaning  of  the  tableau  is  the  same  before  and  after 
application  of  the  rule.  It  actually  suffices  to  show  that,  if  the  derived  goal  is  true,  then 
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at  least  one  of  the  given  goals  is  true  and,  if  the  given  output  entries  are  suitable,  so  is 
the  derived  output  entry. 

Suppose  the  derived  goal  (^F[true\  and  Q[false\)  is  true.  Then  both  its  conjuncts 
F[true]  and  Q[fal$e ]  are  true.  We  distinguish  between  two  cases,  depending  on  whether 
or  not  the  common  subsentence  V  is  true  or  false.  In  the  case  in  which  V  is  true,  the 
(ground)  goal  P )  has  the  same  truth-value  as  the  conjunct  T[true[\  that  is,  T\P\  is  true. 
In  the  case  in  which  V  is  false,  the  goal  Q[P)  has  the  same  truth-value  as  the  conjunct 
Q[false ];  that  is,  Q[P\  is  true.  In  either  case,  one  of  the  two  given  goals,  T[P)  and  Q[P ],  is 
true. 

Now  assume  that  the  given  output  entries  are  suitable.  To  show  that  the  derived 
output  entry  is  suitable,  we  suppose  that  the  derived  goal  is  true  and  establish  that  the 
derived  output  entry  satisfies  the  input-output  condition.  We  have  seen  that,  in  the  case 
in  which  V  is  true,  the  given  goal  P[ P ]  is  true;  because  its  output  entry  s  is  suitable,  it 
satisfies  the  input-output  condition.  Similarly,  in  the  case  in  which  V  is  false,  the  output 
entry  t  satisfies  the  input-output  condition.  In  either  case,  therefore,  the  conditional  term 
(if  V  then  s  else  t)  satisfies  the  input-output  condition;  but  this  is  the  derived  output 
entry. 


THE  RESOLUTION  RULE:  GENERAL  VERSION 

We  have  described  the  ground  version  of  the  resolution  rule,  which  applies  to  goals 
with  no  variables.  We  now  present  the  general  version,  which  applies  to  goals  with 
variables.  In  this  case,  we  can  apply  a  substitution  to  the  goals,  as  necessary,  to  create  a 
common  subsentence. 


assertions 

goals 

outputs 

/(a) 

r[P\ 

s 

m 

t 

FQ[true) 

if  V6 

and 

then  s9 

Q9\Jalse ] 

else  t9 

More  precisely,  suppose  our  tableau  contains  goals  T  and  Q ,  which  have  no  variables 
in  common.  (This  can  be  ensured  by  renaming  the  variables  of  the  rows  as  necessary, 
according  to  the  renaming  property.)  Suppose  further  that  some  of  the  subsentences  of  T 
and  some  of  the  subsentences  of  Q  are  unifiable.  with  a  most-general  unifier  9\  let  V9  =  T9 
be  the  unified  subsentence.  Then  we  may  derive  and  add  to  our  tableau  the  new  goal 


p! 

.v 

$ 

i 

•t 

|g 


s 


.u'.v  .t»*  j.1 


i 


ivi 

yl 

iSSSjvsfi?! 
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obtained  by  replacing  all  occurrences  of  VB  in  ^  with  true ,  replacing  all  occurrences  of 
P0  in  {70  with  false ,  and  forming  the  conjunction  of  the  results.  The  associated  output 
entry  is  a  conditional  term  whose  test  is  the  unified  subsentence  VB,  and  whose  then- 
clause  and  eise-dause  are  the  corresponding  instances  sB  and  tB,  respectively,  of  the  given 
output  entries. 

In  other  words,  to  apply  the  general  version  of  the  rule  to  T  and  Q,  we  apply  the 
ground  version  of  the  rule  to  VB  and  QB.  The  soundness  of  the  general  version  can  be 
deduced  from  the  soundness  of  the  ground  version  and  the  instance  property.  The  polarity 
strategy  applies  as  before.  If  we  wish  to  apply  the  rule  to  an  assertion  and  a  goal  or  to 
two  assertions,  we  can  regard  the  assertions  as  goals  by  negating  them,  as  in  the  ground 


Example 


Suppose  our  tableau  contains  the  rows 


assertions 


not  [(£  +  2t  )2  <  r] 


outputs 
sqTt(r ,  c) 


if  ( z  +  e)2  <r 
then  z  +  c 
else  z 


if  (x,  v)  (r,  c) 
then  if  0  <  x  and  0  <  v 


2 

( sqrt(x ,  v))  <  x  and 
not  [(sgrt(x,  v)  +  u)2  <  x] 


The  boxed  subsentences  are  unifiable;  a  most-general  unifier  is 
B  :  {x  «—  r,  v  *-  2c,  z  «—  sqrt(r,  2c)}. 

The  subsentences  have  respectively  positive  and  negative  polarity,  as  indicated  by  the 
annotation.  We  may  regard  the  assertion  as  a  goal  by  negating  it.  By  application  of  the 
general  version  of  the  resolution  rule,  we  may  derive  the  new  row 


true 

and 

if  <r,  2f)  -<*,  (r,  c) 
not  then  if  0  <  r  and  0  <  2e 
then  false 


if  [s9rf(r,  2c)  +  c]  <  r 
then  sqrt(r,  2f)  +  c 
else  sqrt(r,  2c) 


By  the  application  of  transformation  rules,  this  goal  reduces  to 


/^*'*1*  -r->-  •  -  ■■  '  '■  • 
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(r,  2c)  -<w  (r,  c) 

if  [sqrt(r,  2c)  +  c]“  <  r 

and 

then  sqrt(r ,  2c)  +  c 

0  <  r  and  0  <  2c 

else  sqTt(r ,  2c) 

Note  that  the  unifier  6  has  been  applied  to  all  variables  in  the  given  rows,  including  those 
in  the  output  entry.  Because  the  given  assertion  has  no  output  entry,  no  new  conditional 
term  is  formed  in  deriving  the  output  entry.  This  application  of  the  rule  is  in  accordance 
with  the  polarity  strategy. 


Our  resolution  rule  differs  from  the  familiar  resolution  rule  of  Robinson  [65]  in  that 
it  is  nonclausal-,  it  applies  to  quantifier-free  sentences  with  a  full  set  of  logical  connectives 
that  need  not  be  in  clausal  form  or  any  other  normal  form.  Nonclausal  resolution  reduces 
to  classical  resolution  in  the  clausal  case.  The  nonclausal  rule  was  developed  independently 
by  Manna  and  Waldinger  [80]  and  Murray  [82].  The  resolution  rule  and  the  true-false 
transformation  rules  have  been  shown  by  Murray  to  constitute  a  complete  system  for 
first-order  logic.  The  polarity  strategy  maintains  this  completeness. 

We  use  an  associative-commutative  unification  algorithm  (as  in  Stickel  [81])  so  that 
the  associative  and  commutative  properties  of  such  operators  as  addition  and  conjunction 
can  be  taken  into  account  in  finding  a  unifier;  thus,  p{f(x)  +  (b  +  g{a)))  can  be  unified 
with  p({g{y)  +  f(b))  +  x). 

The  resolution  rule  accounts  for  the  introduction  of  the  notion  of  binary  search  into 
our  derivation. 


THE  DISCOVERY  OF  BINARY  SEARCH 


Recall  that  our  initial  goal  is 


2. 


zl  <  r 


+  and  not  [(r  +  c):  <  r 


We  are  about  to  apply  the  resolution  rule  to  this  goal  and  itself.  To  make  this  step 
easier  to  understand,  let  us  write  another  copy  of  the  goal. 


2.  z2  <  r  and  not  (z  +  c)2  <  r 


We  have  renamed  the  variable  of  the  second  copy  of  the  goal  so  that,  as  required,  the  two 
copies  have  no  variables  in  common. 


3.  Conditional  Formation 


17 


The  boxed  subsentences  of  the  two  copies  of  the  goal  are  unifiable;  a  most-general 
unifier  is 


0  :  {z  <-  z  +  e). 


Therefore,  we  can  apply  the  resolution  rule  between  the  two  copies  of  the  goal  to  obtain 


true  and  not  [((i  +  e)  +  f)2  <  r] 

if  (z  +  e)2  <  r 

and 

then  z  +  e 

z-  <  r  and  not  false 

else  z 

By  application  of  transformation  rules,  including  the  rule 
u  +  u  — ♦  2u, 

this  goal  can  be  reduced  to 


3.  z‘  <  r 

if  (i  +  c)2  <  r 

and 

then  z  +  € 

not  [{z  +  2f)2  <  r] 

else  z 

(We  have  reordered  the  conjuncts  for  pedagogical  reasons  only;  because  we  use  associative 
commutative  unification,  their  actual  order  is  irrelevant.) 


According  to  this  goal,  it  suffices  to  find  a  rougher  estimate  i,  which  is  within  a 
tolerance  2f  less  than  y/r.  For  then  either  z  -f  t  or  z  itself  will  be  within  e  less  than  y/r. 
depending  on  whether  or  not  f  +  e  is  less  than  or  equal  to  y/r,  that  is,  (z  +  e)2  <  r.  The 
two  possibilities  are  illustrated  below: 


sA 

i - 3 


t _ 1 i 

[ 

z 

A 

Z  +  € 

1 

i  +  2c 

Case:  z  +  e  <  y/r 


Case:  not  [i  +  c  <  y/r  ] 


Goal  3  contains  the  essential  idea  of  binary  search  as  applied  to  the  square-root 
problem.  Although  the  idea  seems  subtle  to  us,  it  appears  almost  immediately  in  the 
derivation.  The  step  is  nearly  inevitable:  any  brute-force  search  procedure  would  discover 
it. 


The  derivation  of  the  new  goal  is  logically  straightforward,  but  the  intuition  behind  it 
may  be  a  bit  mysterious.  Let  us  paraphrase  the  reasoning  in  a  more  geometric  way.  Our 
initial  goal  expresses  the  fact  that  it  suffices  to  find  a  real  number  z  such  that  y/r  belongs 
to  the  half-open  interval  [2,  2  +  «).  Our  rewritten  copy  of  this  goal  expresses  the  fact  that 
it  is  equally  acceptable  to  find  a  real  number  z  such  that  y/r  belongs  to  the  half-open 
interval  [i,  z  +  c).  We  shall  be  content  to  achieve  either  of  these  goals:  i.e.,  we  shall  be 


urorvmr  wr  v  VTjr  v  ■jry.Tro.T, 7ffyB^x-yi.T7* A V Y.-Y-Y."  Y>>7?1 
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happy  if  y/r  belongs  to  either  of  the  two  half-open  intervals.  In  taking  z  to  be  z  +  e,  we 
are  concatenating  the  two  intervals,  obtaining  a  new  half-open  interval  [z,  z  +  2c)  twice 
the  length  of  the  original.  It  suffices  to  find  a  real  number  z  such  that  y/r  belongs  to  this 
new,  longer  interval,  because  then  y/r  must  belong  to  one  or  the  other  of  the  two  shorter 
ones. 


THE  THEORY  RESOLUTION  RULE 

It  is  difficult  to  prevent  a  system  from  deriving  numerous  irrelevant  consequences 
from  the  rows  in  a  tableau.  We  can  apply  the  resolution  rule  to  virtually  every  goal  in 
our  derivation  if  our  tableau  contains  an  assertion  such  a s  (u  <  v  or  v  <  u).  Stickel  [85] 
has  introduced  an  extension  to  the  resolution  rule,  which  enables  it  to  behave  as  if  certain 
properties  of  the  theory  were  “built  in.”  This  theory  resolution  rule  does  not  add  to  the 
logical  power  of  the  system,  but  it  does  give  us  a  heuristic  advantage  over  a  system  in 
which  all  properties  must  be  represented  as  assertions.  When  a  property  is  built  into  the 
theory  resolution  rule,  it  is  brought  to  bear  only  when  it  is  appropriate. 

The  instance  of  Stickel’s  rule  that  we  shall  need  is  as  follows.  (Stickel’s  actual  rule 
is  more  general.)  Let  us  suppose  that  hi[P,  Q]  is  a  valid  sentence  we  wish  to  build  in. 
Then  the  ground  version  of  the  theory  resolution  rule,  invoking  the  property  hi[V,  Q],  is 
as  follows: 


assertions 

goals 

outputs 

f(a) 

T\V] 

s 

m 

t 

F[true)  and 

if  V 

G[true }  and 

then  s 

not  hi[false,  false] 

else  t 

For  strategic  purposes,  we  may  assume  that  V  and  Q  are  of  positive  polarity  in  the  tableau 
and  in  hi.  (In  other  words,  they  are  within  the  scope  of  an  even  number  of  explicit 
or  implicit  negations  in  hi.)  There  are  other  versions  of  the  rule  that  are  strategically 
preferable  if  V  or  Q  is  negative.  The  soundness  of  the  rule  actually  does  not  depend  on 
the  polarity. 


The  rule  can  be  justified  by  adding  the  property  hi[P ,  O]  to  the  tableau  as  an  assertion 


hi[V. 

O 

N 

KT  HA  H.1  V 
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(Note  that  because  Q  is  positive  in  the  assertion  H  and  because  each  assertion  is  within 
the  scope  of  an  implicit  negation,  Q  is  negative  in  the  tableau.)  Applying  the  ordinary 
resolution  rule  to  the  goal 

and  to  this  assertion,  we  obtain  the  new  goal 

Q[true]  and 

not  H[ |  V  |~,  false)  1 

Applying  the  resolution  rule  again,  to  the  goal 


n\v\+) 


and  to  the  new  goal,  we  obtain 


?[true]  and 
G[true]  and 
not  H[false,  false] 


if  V 
then  s 
else  t 


But  this  is  precisely  the  conclusion  drawn  by  the  theory  resolution  rule,  invoking  the 
property  H[V,  Q]. 

We  have  just  presented  the  ground  version  of  the  rule.  To  apply  the  general  version, 
we  first  assume  that  the  rows  and  the  property  H  have  no  variables  in  common.  We 
then  apply  a  most-general  unifier  6  that  allows  the  ground  version  of  the  rule  to  become 
applicable  to  T6  and  GO,  invoking  HO. 


Example 


Suppose  our  tableau  contains  the  two  goals 


assertions 


maz(r,  1)  <  c  + 


<<y\+ 


outputs 
sqrt(r,  e) 


if  [svrf(r,  2()  -f  (]2  <  r 
then  sqrt(r ,  2f)  +  < 
else  sqrt(r,  2e) 
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Suppose  we  have  built  into  the  theory  resolution  rule  the  sentence 
H  :  u  <  v  +  or  I  v  <  u  |+. 


The  boxed  subsentences  of  the  two  goals  are  unifiable  with  the  correspondingly  boxed 
subsentences  of  the  sentence  H\  a  most-general  unifier  is 

9  :  {u  <—  max(r,  1),  v  «—  c,  y  «-  mai(r,  1)}. 

According  to  the  theory  resolution  rule,  we  can  obtain  the  new  goal 


true  and 
true  and 

not  ( false  or  false) 


which  is  transformed  into 


if  max(r,  1)  <  c 
then  0 

else  if  [sqrt(r,  2c)  +  c]2  <  r 
then  sqrt(r ,  2c)  -f  c 
else  sqrt(r ,  2c) 


if  max(r,  1)  <  c 
then  0 

else  if  [sgrt(r,  2c)  +  c]2  <  r 
then  sqrt(r,  2c)  +  c 
else  sqrt(r,  2c) 


(Note  that  this  could  be  the  final  step  in  a  square-root  derivation.)  j 


We  have  introduced  two  additional  rules  to  give  special  treatment  to  equality,  order¬ 
ings,  and  other  important  relations  (Manna  and  Waldinger  [86]),  but  these  rules  play  no 
part  in  the  portion  of  the  derivation  to  be  discussed  in  detail. 

We  shall  now  need  the  induction  rule;  this  we  describe  in  the  next  section. 


4.  RECURSION  FORMATION 


The  rules  presented  so  far  do  not  allow  us  to  introduce  any  repetitive  construct  into  the 
program  being  derived.  The  mathematical-induction  rule  accounts  for  the  introduction 
of  recursion  into  the  derived  program. 

We  employ  a  single  well-founded  induction  rule,  which  applies  to  a  variety  of  theories. 


1C1V1 


SBwC 


MM 


ITt? 
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THE  MATHEMATICAL  INDUCTION  RULE 


A  well-founded  relation  <w  is  one  that  admits  of  no  infinite  decreasing  sequences, 
i.e..  sequences  x^xo.xs,  . . .  ,  such  that 

x\  yw  X2  and  ii  >~w  *3  and .... 

For  instance,  theless-than  relation  <  is  well-founded  in  the  theory  of  nonnegative  integers, 
but  not  in  the  theory  of  real  numbers. 


The  well-founded  induction  rule  is  expressed  as  follows.  Suppose  our  initial  tableau 
is 


assertions 

goals 

outputs 

/(a) 

V[a] 

U[a,  z] 

2 

In  other  words,  we  are  attempting  to  construct  a  program  /  that,  for  an  arbitrary  input 
a,  yields  an  output  z  satisfying  the  input-output  condition 

if  T>{*\ 

then  7l[a,  z\. 

According  to  the  well-founded  induction  rule,  we  may  prove  this  while  assuming,  as  our 
induction  hypothesis,  that  the  program  /  will  yield  an  output  f(x)  satisfying  the  same 
input-output  condition 

if  V[x\ 

then  72. [a:,  /(x)], 

provided  that  its  input  x  is  less  than  our  original  input  a  with  respect  to  some  well-founded 
relation  that  is,  x  -<w  a.  In  other  words,  we  may  add  to  our  tableau  the  new  assertion 


if  x  -<w  a 
then  if  V[x] 

then  7v[x,  /(x)] 


where  x  is  a  new  variable.  The  well-founded  relation  <w  used  in  the  induction  rule  is 
arbitrary  and  must  be  selected  later  in  the  proof. 


Example 


The  initial  tableau  in  the  square-root  derivation  is 


assertions 


0  <  r  and  0  <  e 
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outputs 
sqrt(r,  e) 


z2  <  r  and 
not  [(r  +  f)2  <  r] 

By  application  of  the  well-founded  induction  rule,  we  may  introduce  as  a  new  assertion 
the  induction  hypothesis 

if  (x,  v)  <w  (>\  () 
then  if  0  <  x  and  0  <  v 

then  ( sqrt(x ,  u))  <  x  and 

not  [(sgrt(x,  v)  +  ”)2<*] 


where  x  and  v  are  variables.  In  other  words,  we  may  assume  inductively  that  the  output 
of  the  square-root  program  being  constructed  will  satisfy  the  input-output  condition  for 
inputs  x  and  v  that  are  less  than  the  given  inputs  r  and  e  with  respect  to  some  well- 
founded  relation  <w.  Because  the  program  has  two  input  parameters  rather  than  one, 
the  induction  hypothesis  refers  to  pairs  of  nonnegative  integers  rather  than  individual 
integers. 


As  it  turns  out,  this  particular  induction  hypothesis  is  never  used  in  our  square-root 
derivation.  . 


Use  of  the  induction  hypothesis  in  the  proof  may  account  for  the  introduction  of  a 
recursive  call  into  the  derived  program.  For  instance,  suppose  that  in  our  derivation  we 
manage  to  develop  a  goal  of  the  form 

g[|  rc[s,  z)  1+  ]  l[i] 


The  boxed  subsentences  of  this  goal  and  the  induction  hypothesis, 

if  x  a 
then  if  V[x] 

then  7 Z  x .  f(x)] 


(W  w  «TOvw5(wTv  r 
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are  unifiable;  a  most-general  unifier  is 
0  :  {z  —  s,  z  —  f(s)}. 

Therefore,  we  can  apply  the  resolution  rule  to  obtain  the  new  goal 


Note  that  a  recursive  call  /(s)  has  been  introduced  into  the  output  entry  as  a  result 
of  this  step.  The  condition  P[s]  in  the  goal  ensures  the  legality  of  the  argument  s,  i.e., 
that  it  satisfies  the  input  condition  of  the  desired  program.  The  condition  s  -<w  a  ensures 
that  the  evaluation  of  the  recursive  call  cannot  lead  to  a  nonterminating  computation.  (If 
there  were  an  infinite  computation,  we  could  construct  a  corresponding  infinite  sequence 
of  arguments  decreasing  with  respect  to  thus  contradicting  the  definition  of  a  well- 
founded  relation.) 


Example 

In  our  square-root  derivation  we  have  developed  the  goal 


z2  <  r 
and 

not  [(£  +  2c)2  <  r] 


*/  (2  +  <02  <  r 
then  z  +  c 
else  z 


and  the  induction  hypothesis 


a.  v. 
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The  boxed  subsentences  are  unifiable;  a  most-general  unifier  is 
9  :  {x  —  r,  v  <—  2c,  i  <—  sqrt(r,  2c)}. 

We  obtain  (after  transformation) 


(r,  2c)  -<w  ( r ,  c) 

if  [s?rf(r,  2c)  +  c]  ‘  <  r 

and 

then  sqrt(r,  2c)  +  c 

0  <  r  and  0  <  2c 

else  sqrt(r ,  2c) 

Note  that  at  this  point  three  recursive  calls  sqrt(r,  2c)  have  been  introduced  into 
the  output  entry.  The  condition  (0  <  r  and  0  <  2c)  ensures  that  the  arguments  r  and 
2c  of  these  recursive  calls  will  satisfy  the  input  condition  for  the  program,  i.e,  that  r  is 
nonnegative  and  2c  is  positive.  The  condition  (r,  2c)  -<„,  (r,  c)  ensures  that  the  newly 
introduced  recursive  calls  cannot  lead  to  a  nonterminating  computation.  The  well-founded 
relation  -<w  that  serves  as  the  basis  for  the  induction  is  as  yet  unspecified. 

For  reasons  that  will  become  clear,  this  step  will  not  actually  be  part  of  our  square- 
root  derivation.  ^ 

The  particular  well-founded  relation  -<w  referred  to  in  the  induction  hypothesis  is  not 
yet  specified;  it  is  selected  at  a  later  stage  of  the  proof.  If  we  allow  well-founded  relations 
to  be  objects  in  our  domain,  we  may  regard  the  sentence  x  -<w  y  as  an  abbreviation 
for  -<(w,  x,  y);  thus,  u;  is  a  variable  that  may  be  replaced  by  a  particular  relation.  We 
assume  that  the  properties  of  many  known  well-founded  relations  (such  as  -<frfe,  the 
proper-subtree  relation  over  trees)  and  of  operations  for  combining  them  are  among  the 
assertions  of  our  initial  tableau. 

The  well-founded  induction  principle  (from  which  the  rule  is  derived)  is  universally 
quantified  over  all  well-founded  relations:  it  is  surrounded  by  a  quantifier  (Vm).  When  the 
quantifiers  are  removed  by  skolemization,  the  input  a  of  the  program  being  constructed 
becomes  a  skolera  term  a(w)  rather  than  a  constant  a.  (Those  unfamiliar  with  skolemiza¬ 
tion  are  asked  to  accept  this  on  faith.)  This  has  the  effect  that  the  well-founded  relation 
w  cannot  be  chosen  to  depend  on  the  input  parameter  a(w )  itself.  In  particular,  w  is  not 
unifiable  with  any  term  containing  an  occurrence  of  a(in).  Otherwise  the  induction  rule 
would  be  unsound  and  the  termination  argument  sketched  above  would  not  apply.  If  we 
could  alter  the  well-founded  relation  with  each  recursive  call,  we  might  indeed  have  an 
infinite  computation.  For  simplicity  of  notation  however,  we  shall  continue  to  write  our 
input  parameters  as  constants. 
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5.  INTRODUCTION  OF  AUXILIARY  SUBPROGRAMS 


The  induction  rule,  as  we  have  presented  it,  can  be  applied  only  to  the  initial  rows  of  a 
tableau.  By  the  introduction  of  auxiliary  subprograms,  however,  any  rows  of  a  tableau 
can  be  taken  as  the  initial  rows  of  a  new  tableau,  to  which  we  may  apply  the  induction 
rule. 

Suppose  that  in  the  course  of  a  derivation  we  have  obtained  the  rows 


assertions 


outputs 

/(a) 


where  s  is  a  ground  term  and  f  is  a  variable.  Then  we  may  consider  introducing  a  new 
auxiliary  subprogram  /(a),  whose  specification  is 

f(a)  find  z  such  that  7£[d,  £], 
where  V[a]. 

( If  TZ  contains  several  variables  ... .  i„,  we  must  construct  several  auxiliaries  f\. 

h . /«•) 

Assuming  that  we  shall  succeed  in  constructing  such  an  auxiliary,  we  add  to  our  original 
tableau  an  assertion  that  the  new  subprogram  always  meets  its  specification;  namely, 


Q  lf  PM 

~~  "  then  TZ  x,  /(x)j 


The  auxiliary  /  is  taken  to  be  primitive.  By  application  of  the  resolution  rule  to  the  goal 
72[s.  i]  and  the  new  assertion,  we  obtain  (after  true-false  transformation) 


By  resolution  of  this  goal  with  the  assertion  V[s\,  we  obtain  (after  true-false  transforma 


If  r  f(s)  is  primitive,  this  may  be  taken  to  be  the  final  step  in  a  derivation  of  f(a).  The 
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program  we  obtain  is  simply 

/(«)  <=  r [/<-*)]- 


In  adding  the  new  assertion  Q,  however,  we  are  incurring  the  obligation  to  construct  a 
suitable  auxiliary  subprogram  /(d).  For  this  purpose,  we  introduce  a  new  tableau,  whose 
initial  rows  are 


assertions 

goals 

outputs 

ha) 

V[a] 

V,[a,  z ) 

Because  this  is  an  initial  tableau,  we  may  apply  the  induction  rule  to  add  the  induction 
hypothesis 


if  u  -<w  a 
then  if  /’[u] 

then  7t[u.  /(u)] 


We  can  actually  form  auxiliary  subprograms  whose  input  condition  is  a  conjunc¬ 
tion  CP]  and  Vi  and  . . .  )  of  assertions  and  whose  output  condition  is  a  disjunction 
(V,\  or  7j2  or  ...)  of  goals,  but  we  can  do  without  this  complication  here. 


We  shall  defer  giving  an  example  of  auxiliary-subprogram  introduction  until  we  have 
discussed  the  strategic  controls  for  such  a  step. 


STRATEGIC  CONSIDERATIONS 


Adding  a  new  auxiliary  subprogram  is  not  without  risk,  because  it  can  happen  that 
there  is  no  program  meeting  the  specification  of  the  auxiliary  even  though  the  original 
programming  problem  does  have  a  solution.  Although  we  are  not  primarily  concerned  with 
the  heuristic  aspects  of  program  synthesis  in  this  paper,  we  shall  mention  the  heuristic 
indicators  for  introducing  the  auxiliary. 


In  the  course  of  the  main  derivation,  suppose  we  have  obtained  the  rows 
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assertions 


outputs 

/(a) 


as  before.  What  indicates  that  we  should  take  these  rows  as  the  specification  for  a  new 
subprogram? 

Assume  that,  only  from  these  rows  and  assertions  representing  valid  sentences  of  the 
theory,  we  obtain  a  goal  of  the  form 

Q\n\t,  z)\  q[z) 

where  t  is  a  term,  1  a  variable,  and  H  is  positive  in  Q.  In  other  words,  the  new  goal 
contains  as  a  subsentence  a  “replica”  V\t,  £]  of  the  higher-level  goal  iZ[s,  £].  The  replica 
is  obtained  by  replacing  a  term  a  of  the  goal  with  a  different  term  t  and  the  variable  z 
with  a  possibly  different  variable  i. 

This  suggests  forming  an  auxiliary  /(d)  with  input  condition  V[a\  and  output  con¬ 
dition  7£{d,  I],  where  a  is  a  new  constant,  the  input  parameter  of  the  subprogram.  The 
initial  tableau  for  the  auxiliary  is 


assertions 


outputs 

/(d) 


TC[d,  z]  z 

If  we  succeed  in  imitating  the  original  derivation  in  the  auxiliary  tableau  and  developing 
a  corresponding  subgoal  of  the  form 

ffirgjon-]  ?i;! 

we  can  then  apply  the  resolution  rule  to  this  goal  and  the  induction  hypothesis  for  the 
auxiliary, 

if  u  a 
then  if  'P(u) 

then  H  u.  /(«)] 
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The  unifying  substitution  is 
{u  —  i,  z  —  /(f)}. 
We  obtain  (after  transformation) 


Q[true\  and 
i  <w  a  and  P[t) 


q  [/(<)] 


In  other  words,  the  appearance  of  a  replica  in  the  main  derivation  suggests  that  we 
form  the  appropriate  auxiliary,  so  that  in  the  auxiliary  derivation  we  shall  be  able  to 
unify  the  corresponding  replica  with  the  conclusion  of  the  auxiliary  induction  hypothesis. 
There  is,  of  course,  the  unfortunate  possibility  that  we  shall  not  be  able  to  obtain  the 
appropriate  replica  in  the  auxiliary  derivation,  because  we  have  replaced  a  term  s  in  the 
main  derivation  with  the  new  constant  a  in  the  auxiliary.  If  the  original  derivation  relies 
on  special  properties  of  s,  we  may  not  be  able  to  imitate  it  with  the  constant  a. 

During  the  derivation  of  the  auxiliary,  we  may  discover  that  we  require  a  new  assertion 
V'[a],  where  V'[s\  is  already  an  assertion  in  our  original  tableau.  In  this  case,  we  may 
attempt  to  add  V'[a ]  as  an  input  condition  to  the  auxiliary  specification,  to  obtain 

f(a)  find  i  such  that  7j[a,  i] 
where  V[a)  and  V'\a). 

We  may  then  add  the  new  condition  to  the  initial  assertion  in  the  auxiliary  tableau,  to 
obtain 


■p[a]  and  V'\a] 


We  must  make  corresponding  alterations  in  the  induction  hypothesis  for  the  auxiliary 
tableau,  in  those  portions  of  the  proof  that  use  the  induction  hypothesis,  and  in  the 
assertion  describing  the  auxiliary  in  the  main  tableau.  Thus  the  precise  specification  of 
the  auxiliary  may  be  built  up  incrementally,  after  the  derivation  of  the  subprogram  is 
under  way. 

In  Manna  and  Waldinger  [80],  we  introduced  auxiliary  subprograms  by  adding  a  new 
output  column  in  the  original  tableau  rather  than  adding  a  new  tableau.  Traugott  [86] 
uses  multiple  tableaux  to  introduce  subprograms,  as  we  do  here. 


SQUARE  ROOT:  INTRODUCTION  OF  THE  SUBPROGRAM 


In  the  tableau  for  the  square-root  derivation,  we  are  initially  given  the  rows 
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os 

yQ 


k; 


’v. 


.y 

✓ 


l? 


assertions 


1.  0  <  r  and  0  <  e 


goals 


2. 


z*  <  r  and 
not  [(z  +  c)2  <  r] 


outputs 
sqrt(r,  () 


By  resolving  the  goal  with  itself  and  transforming,  we  have  obtained  the  subgoal 


3.  z2  <  r  and 

if  (z  +  c)2  <  r 

not  [(z  +  2c)2  <  r] 

then  z  +  c 
else  z 

The  entire  subgoal  is  a  replica  of  the  initial  goal,  obtained  by  replacing  the  term  c 
with  2e  and  the  variable  z  with  £.  This  suggests  introducing  a  new  auxiliary  subprogram 
sgrt(c),  whose  parameter  c  plays  the  role  of  the  replaced  term  c  in  the  initial  goal,  and 
whose  input  and  output  conditions  are  the  initial  assertion  and  goal,  with  c  replaced  by 
c;  that  is, 


sqrt(e)  <=  find  z  such  that 

z2  <  r  and  not  [(z  +  i)2  <  r] 
where  0  <  r  and  0  <  e. 


We  do  not  include  a  parameter  f  in  the  auxiliary  because  r  was  not  replaced  in  forming 
the  replica.  For  the  auxiliary,  r  is  global  rather  than  a  parameter.  When  sqrt  is  evaluated, 
r  will  be  bound  to  an  argument  of  the  main  program  sqrt. 


The  initial  assertion  (0  <  r  and  0  <  e)  in  the  main  tableau  was  not  actually  used  in 
developing  the  replica.  However,  the  corresponding  initial  assertion  (0  <  r  and  0  <  c) 
turns  out  to  be  necessary  to  complete  the  derivation  of  the  auxiliary.  In  an  automated 
implementation,  this  condition  would  most  likely  be  added  to  the  input  condition  for  the 
auxiliary  incrementally,  after  the  derivation  of  the  auxiliary  was  under  way. 


Assuming  that  we  shall  succeed  in  the  synthesis  of  the  auxiliary  sqrt ,  we  add  to  our 
main  tableau  the  assertion  that  sqrt  does  indeed  meet  its  specification  for  all  inputs  v: 
that  is. 


4.  if  0  <  r  and  0  <  v 
then 


( sqrt(v ))2  <  r  and 


not  [(s7rt(u)  +  v)  <  r 


By  resolving  the  initial  goal  2  with  this  assertion,  and  then  resolving  the  resulting  goal 
with  the  initial  assertion,  we  obtain  (after  true-false  transformation)  the  final  goal 
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___ 

_ ! 

5.  true 

sqrt(() 

Note  that  the  goal  3,  which  serves  to  suggest  introducing  the  auxiliary  sqrt,  turns  out 
to  play  no  part  in  the  derivation  of  the  main  program.  The  main  program  we  obtain  is 
simply 

sqrt(r,  c)  <=  sqrt(e). 

The  only  difference  between  the  main  program  sqrt(r,  c)  and  the  auxiliary  sqrt(i)  is 
that  r  is  a  parameter  for  sqrt  but  not  for  sqrt.  This  turns  out  to  be  a  crucial  distinction, 
however,  because  the  well-founded  relation  we  employ  in  the  derivation  of  sqrt  depends 
on  r.  The  well-founded  relation  for  a  program  cannot  depend  on  a  parameter  for  that 
program;  otherwise  the  induction  is  not  sound  and  termination  is  jeopardized.  Had  we 
not  introduced  the  auxiliary,  we  would  not  have  been  able  to  complete  this  derivation. 
(Other  derivations  would  be  possible,  using  more  artificial  well-founded  relations.) 


6.  COMPLETION  OF  THE  SQUARE-ROOT  DERIVATION 

In  this  section  we  apply  the  principles  we  have  introduced  to  complete  the  derivation  of 
the  square- root  subprogram. 


INTRODUCTION  OF  THE  RECURSIVE  CALL 


In  deriving  the  auxiliary, 

we  begin  with  the  tableau 

assertions 

goals 

outputs 

sqrt(e) 

I.  0  <  r  and  0  <  c 

2.  z2  <  r  and 

not  [( z  +  e)2  <  r] 

We  attempt  to  mimic  the  main  derivation.  Resolving  the  initial  goal  with  itself  and 
transforming  as  before,  we  obtain 
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We  assume  inductively  that  the  auxiliary  sqrt  will  satisfy  its  specification  for  all  inputs  v 
less  than  its  parameter  c,  with  respect  to  some  well-founded  relation  <w,  i.e.. 


The  boxed  subsentences  of  the  goal  3  and  the  induction  hypothesis  4  are  unifiable;  a 
most-general  unifier  is 

{v  <—  2 e,  i  <—  s<7rt(2c)}. 


Applying  the  resolution  rule,  we  obtain  (after  transformation) 


This  step  accounts  for  the  introduction  of  three  instances  of  a  recursive  call  sqrt( 2e) 
into  the  auxiliary  subprogram.  As  before,  the  condition  (0  <  r  and  0  <  2e)  ensures 
that  the  argument  2e  of  this  recursive  call  will  satisfy  the  input  condition.  The  condition 
2c  c  ensures  that  the  newly  introduced  recursive  call  cannot  lead  to  a  nonterminating 
computation.  The  well-founded  relation  <w  is  as  yet  unspecified. 


THE  CHOICE  OF  THE  WELL-FOUNDED  RELATION 

We  have  assumed  that  the  definitions  and  properties  of  well-founded  relations  over 
several  domains,  including  the  real  numbers,  are  among  the  assertions  of  our  tableau.  The 
relation  to  be  selected  in  this  derivation  is  the  bounded-doubling  relation  <bd(y)-  defined 
on  the  positive  reals  so  that 

u  -<bd(y)  v  &nd  only  if  u  =  2v  and  v  <  y, 

for  some  fixed  upper  bound  y.  Thus,  with  respect  to  this  relation,  2v  is  actually  less  than 
v.  The  upper  bound  y  is  a  parameter  of  the  relation:  for  each  real  number  y,  we  obtain 
a  different  relation  -<bd(y)- 


The  bounded-doubling  relation  is  well-founded  because  we  cannot  double  a  positive 
real  forever  without  exceeding  the  bound  y:  thus,  with  respect  to  this  relation,  no  infinite 
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decreasing  sequences  exist.  Note  that  we  could  have  replaced  the  constant  2  with  any 
real  constant  greater  than  1  or,  indeed,  with  a  variable  x,  which  would  then  become 
an  additional  parameter  for  bd;  but  we  shall  not  require  such  generality  here.  Also,  for 
u  ^bd(y)  v  to  be  true,  we  require  that  v  <  y  but  not  that  u  <  y. 


The  property  of  the  bounded-doubling  relation  we  employ  is 

if  0  <  v  and  v  <  y 
then  2v  <bd(y)  v  ~ 

Recall  that  we  regard  u  v  as  an  abbreviation  of  -<  ( w,u,v ).  The  boxed  subsentences 
of  our  goal 


5.  2 e  <w  e  +  and 

0  <  r  and  0  <  2t 


and  the  above  assertion  unify;  a  most-general  unifier  is 
{u  <-  c,  w  «-  bd(y)}. 

By  resolution  of  the  goal  with  the  assertion,  we  obtain 

6.  0  <  r  and  0  <  2e 

and 

0  <  (  and  (  <  y 


if  [sqrt(2c)  +  e]  ‘  <  r 
then  sqrt( 2e)  +  c 
else  sqrt(2i) 


if  [sqrf(2f)  +  c] "  <  r 
then  sqrt{  2e)  +  t 
else  sqrt( 2e) 


At  this  stage,  the  well-founded  relation  -<w  has  been  chosen  to  be  the  bounded-doubling 
relation  -<bd(y)-  The  upper  bound  y  is  as  yet  undetermined. 

The  rest  of  the  derivation  relies  on  the  special-relation  rules  (Manna  and  YValdinger 
[86]),  which  we  have  not  presented  here,  and  is  relatively  straightforward.  We  shall  not 
give  it  in  detail,  but  we  would  like  to  give  the  intuitive  argument,  indicating  some  of  the 
properties  we  use  but  not  what  rules  we  apply. 

With  the  help  of  the  initial  assertion  for  the  auxiliary. 


1.  0  <  r  and  0  <  f 


we  can  discard  the  first  three  conjuncts  of  our  goal  6.  leaving 
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We  shall  refer  to  this  as  the  upper-bound  goal.  It  maintains  that,  if  we  can  find  some 
upper  bound  y  on  our  input  parameter  £,  its  output  entry  meets  the  specification. 

Note  that,  because  e  is  a  parameter,  it  was  initially  our  abbreviation  for  a  skolem 
term  e(u>).  Then  the  well-founded  relation  w  was  taken  to  be  bd(y),  so  e  in  the  upper- 
bound  goal  i  <  y  stands  for  i(bd(y)).  Thus,  this  goal  e(bd(y))  <  y  is  not  unifiable  with 
the  reflexivity  assertion  u  <  u  -  they  have  no  common  instance  -  and  we  are  prevented 
from  resolving  them.  In  other  words,  we  (fortunately)  cannot  take  the  upper  bound  on  e 
to  be  £  itself. 

Let  us  set  the  upper-bound  goal  aside  for  the  moment;  its  proof  depends  on  our 
treatment  of  the  base  case,  which  we  consider  next. 


THE  BASE  CASE 


Recall  that  the  initial  goal  for  the  auxiliary  procedure  sqrt(i)  is 


We  employ  the  initial  condition  0  <  r  and  properties  of  the  reals  (including  0  •  v  =  v), 
taking  5  to  be  0,  to  reduce  the  goal  to  not  (e2  <  r),  that  is. 


Note  that  at  this  stage  the  output  entry  has  become  0. 


We  next  employ  the  transitivity  of  the  less-than  relation  and  the  property 
if  1  <  u  then  u  <  u2 

to  decompose  our  goal  further,  to  (r  <  £  and  1  <  f),  that  is, 


In  other  words,  in  the  case  in  which  maifr,  1)  <  e.  the  output  0  will  satisfy  the  input- 
output  specification. 


i 
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PROVING  THE  UPPER-BOUND  GOAL 


Because  we  have  introduced  the  goal  max(r,  1)  <  e,  we  can  restrict  our  attention  to 
the  case  in  which  not  [mai(r,  1)  <  c],  that  is,  e  <  max(r ,  1).  But  in  this  case  the  upper 
bound  y  for  our  bounded-doubling  relation  -<bd(y)  can  be  taken  to  be  max(r,  1)  itself. 
Formally  speaking,  we  apply  the  theory  resolution  rule  to  this  goal  9  and  our  upper-bound 
goal 


7.  I  <  y 


if  [sqrt(2e)  +  e]2  <  r 
then  sqrt(2e)  +  c 
else  sqrt( 21) 


YVe  invoke  the  property  (u  <  v  or  v  <  u)  and  take  the  most-general  unifier  to  be 
{u  <—  max{r,  1),  v  <—  e,  y  <—  max(r,  1)}. 

We  obtain  the  final  goal 


10.  true 

if  max(r,  1)  <  c 
then  0 

else  if  [sqrt(2i)  +  c]2  <  r 

then  sqrt(2i)  +  c 

else  sqrt(2e) 

The  new  conditional  in  the  output  entry  is  introduced  by  the  theory  resolution  rule. 


At  this  stage  we  can  see  why  the  introduction  of  an  auxiliary  in  which  r  is  not  a 
parameter  was  necessary  for  this  derivation.  Had  we  retained  r  as  a  parameter,  it  would 
have  appeared  in  the  initial  goal  as  a  skolem  function  f(u;).  Because  w  was  subsequently 
replaced  by  bd(y),  the  occurrence  of  r  in  the  goal  max(r,  1)  <  c  would  have  become 
f(bd(y)).  We  would  have  been  prevented  from  unifying  y  with  the  term  max(f{bd[y)),  1), 
which  contains  y,  this  last  step  could  therefore  not  have  been  performed.  From  an  intuitive 
point  of  view,  if  r  were  not  a  parameter,  the  system  would  suspect  that  r  might  be 
increased  with  each  recursive  call.  There  might  then  be  no  upper  bound  for  the  bounded- 
doubling  relation,  and  termination  would  not  be  guaranteed. 


We  have  completed  the  derivation  of  the  main  program  and  the  auxiliary.  The  final 
program  we  obtain  is  therefore 


mm 
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sqrt(r,  c)  <=  sqrt(e) 


sqrt(i)  <= 


if  max(r,  1)  <  c 
then  0 

<  else  if  [.S9rt(2c)  +  c]1 2 3  <  r 
then  sqrt(2i)  +  c 
else  sqrt(2l) 


7.  SUMMARY 

At  this  point  we  reproduce  the  entire  square-root  derivation,  again  omitting  some  straight¬ 
forward  steps. 


MAIN  PROGRAM 


The  initial  tableau: 


assertions 


1.  0  <  r  and  0  <  e 


goals 


2.  z2  <  r  and 

not  [(z  +  e)2  <  r] 


By  resolution  applied  to  goal  2  and  itself: 


3.  z2  <  r  and 

not  [(£  +  2c)2  <  r] 


By  auxiliary-procedure  introduction: 


4.  if  0  <  r  and  0  <  v 
\2 


then  (s^rtfu))  <  r  and 

not  [(s7ri(t>)  +  u)2  <  r] 

This  step  has  been  motivated  by  the  replication  of  goal  2  in  goal  3. 


outputs 

sqrt{r,i) 


if  (z  +  e)2  <  r 
then  z  +  c 
else  z 


By  resolution,  from  goal  2,  assertion  4,  and  assertion  1: 


AUXILIARY  SUBPROGRAM 


The  initial  tableau: 


assertions 

goals 

outputs 

sqrt(() 

1.  0  <  r  and  0  <  l 

2.  z2  <  r  and 

not  [(£  +  c)2  <  r] 

z 

By  resolution  applied  to  goal  2  and  itself: 


3.  £2  <  r  and 

if  (z  +  c)2  <  r 

nof[(z  +  2c)2  <  r] 

then  z  +  e 
else  z 

The  induction  hypothesis: 


4.  if  v  -<w  c 

then  if  0  <  r  and  0  <  v 

then  (sqrt(v))2  <  r  and 

not  [(sgrt(u)  +  u)2  <  r] 

By  resolution  applied  to  goal  3  and  assertion  4: 

5.  2c  -<w  c  and 

0  <  r  and  0  <  2c 

if  [sgrt(2c)  +  c]2  <  r 
then  sqrt( 2c)  +  e 
else  sqrt( 2c) 

Here  the  recursive  calls  have  been  introduced. 

A  property  of  the  bounded-doubling  relation: 
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if  0  <  v  and  v  <  y 
then  2v  -<bd(v)  v 

By  resolution  applied  to  goal  5  and  the  above  property: 


6.  0  <  t  and  0  <  2i 

and 

0  <  i  and  l  <  y 


if  [sgrt(2e)  +  e] '  <  r 
then  sqrt( 2c)  +  t 
else  sqrt(2i) 


At  this  stage  the  well-founded  relation  is  taken  to  be  the  bounded-doubling  relation. 

By  resolution  and  special-relation  rules,  from  goal  6,  assertion  I,  and  properties  of  the 


7-  f  <  y 


if  jsgrt(2f)  +  «]'  <  r 
then  sqrt(2e)  +  e 
else  sqrt(2e) 


By  resolution  and  special- relation  rules,  from  goal  2,  assertion  1,  and  properties  of  the 
reals: 


I 


At  this  stage,  a  suitable  upper  bound  for  the  bounded-doubling  relation  has  been  found 
to  be  mar(r,  1). 

The  real-number  square-root  derivation  was  first  discovered  manually;  it  was  subse¬ 
quently  reproduced  with  an  interactive  program-synthesis  system. 


10.  true 


if  max(r ,  1 )  <  c 
then  0 

else  if  [sqrt(2e)  +  cl'  <  r 
then  sqrt(2i)  +  c 
else  sqrt(2e) 


8.  VARIATIONS 

In  this  section  we  present  several  analogous  binary-search  deiivations  for  different  prob¬ 
lems  and  for  different  specifications  of  the  same  problem. 

OTHER  SQUARE-ROOT  SPECIFICATIONS 

It  may  have  occurred  to  the  reader  that  we  were  just  lucky  in  our  choice  of  specifica¬ 
tion,  in  that  two  subsentences  of  the  output  condition  turned  out  to  be  unifiable.  What 
if  the  specification  had  been  in  some  other  form?  Would  we  have  been  able  to  obtain  the 
same  program? 

For  example,  suppose  we  had  phrased  the  output  condition  as 
z 2  <  r  and  (z  +  c)2  >  r 
or 

z2  <  r  and  r  <  (z  +  e)2 

instead  of 

z2  <  r  and  not  [(z  +  c)2  <  r]. 

Then  we  would  not  have  been  able  to  unify  the  two  subsentences  of  the  initial  goal 
and  apply  the  resolution  rule,  as  we  did  in  our  original  derivation.  How  could  we  have 
proceeded? 

In  fact,  we  can  apply  the  theory  resolution  rule,  invoking  the  property 


u  <  v  or  u  >  v 
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or,  respectively, 

u  <  v  or  v  <  u. 

We  obtain  (after  transformation)  the  new  goal 
i2  <  r  and  ( i  +  2e)2  >  r 
or,  respectively, 

z-  <  r  and  r  <  (z  +  2c)2, 

each  of  which  is  a  replica  of  the  initial  goal.  The  balance  of  the  derivations  are  as  before. 
We  could  also  have  phrased  the  output  condition  as 
lv/r  -  z|  <  e. 

Here  y/r  is  the  precise  square  root  of  r;  the  function  y/u  is  a  nonprimitive  that  can 
nevertheless  be  employed  in  specification.  This  specification  is  weaker  than  the  one  we 
were  given  originally,  since  it  permits  z  to  be  larger  than  y/r.  With  the  help  of  the  input 
condition,  properties  of  the  absolute  value  function,  and  other  properties  of  the  reals,  we 
can  develop  the  goal 

0  <  y/r  -  z  and  y/r  -  z  <  c 

and  then 

0  <  z  and  z2  <  r  and  r  <  (z  +  e)2 . 

From  this  goal,  we  can  derive  the  same  program  as  before.  Of  course,  because  the  speci¬ 
fication  is  weaker,  we  can  obtain  a  broader  class  of  programs. 

Many  binary-search  algorithms  can  be  derived  in  an  analogous  way.  Let  us  first 
consider  some  other  real-number  problems. 


THE  DIVISION  ALGORITHM 

Suppose  a  program  to  perform  real-number  division  is  specified  as  follows: 

div(r ,  s,  ()  <=  find  z  such  that 

z  ■  s  <  r  and  not  [(r  +  t)  ■  s  <  r] 
where  0  <  r  and  0  <  s  and  0  <  (. 

In  other  words,  the  program  is  required  to  yield  a  real  number  z  that  is  within  a  tolerance 
(  less  than  r/s,  the  exact  quotient  of  dividing  r  by  s.  We  obtain  the  program 


40 


8.  Variations 


div(r,  s,  <) 


div{() 


div(i)  <= 


if  r  <  i  ■  s 
then  0  ___ 

<  else  if  [diu(2<)  +  c]  •  s  <  r 
then  div(2i)  +  i 
else  div(2i) 


The  auxiliary  subprogram  div ,  which  is  analogous  to  the  auxiliary  subprogram  sqrt , 
is  like  the  top-level  division  program  div  but  takes  r  and  s  to  be  globals,  not  parameters. 
It  meets  the  specification 


div(i)  <=  find  £  such  that 

£  •  s  <  r  and  not  [(£  +  «)■  s  <  r] 
where  0  <  r  and  0  <  s  and  0  <  i. 


The  rationale  for  the  div  program,  like  its  derivation,  is  analogous  to  that  for  the 
real-number  square  root.  The  program  first  checks  whether  the  error  tolerance  is  very 
big,  that  is,  if  r  <  <  •  s.  If  so,  the  output  can  safely  be  taken  to  be  0.  For,  because  0  <  r, 
we  have 


0  -  s  <  r. 

And,  because  r  <  <  •  s,  we  have  r  <  (0  +  i)  ■  s,  that  is, 
not  [(0  +  f)  •  s  <  r]. 

Thus,  0  satisfies  both  conjuncts  of  the  output  condition  for  div  in  this  case. 

On  the  other  hand,  if  <  is  small,  that  is,  if  i-s  <  r,  the  program  finds  a  rougher  estimate 
div{ 2c),  which  is  within  2<  less  than  r/s.  The  program  considers  whether  increasing  this 
estimate  by  c  will  leave  it  lesr  than  r/s.  If  so,  the  rough  estimate  may  be  increased  by  c; 
if  not,  the  rough  estimate  is  a. ready  close  enough. 

The  termination  proof  for  this  program  is  also  analogous  to  that  for  the  square  root. 
Although  the  argument  i  is  doubled  with  each  recursive  call,  the  other  arguments  are 
unchanged  and  the  calls  are  evaluated  only  in  the  case  in  which  i  ■  s  <  r.  that  is,  c  <  r/s. 
Thus,  there  is  a  uniform  upper  bound  on  the  doubled  argument. 


BINARY  SEARCH  SCHEMATA 

It  may  be  clear  from  the  foregoing  discussion  that  there  is  little  in  the  derivations  for 
the  square-root  and  division  programs  that  depends  on  the  properties  of  these  functions. 
More  or  less  the  same  derivation  suffices  for  finding  an  approximate  solution  to  an  arbitrary 
real-number  equation  /(rl  =  r 
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For  a  given  primitive  function  symbol  /,  we  consider  the  specification 


solve(r,  t)  <=  find  z  such  that 

f(z)  <  r  and  not  \f(z  +  e)  <  r] 


where  f{a)  <  r  and 


if  b  <  u 

then  not  (/(u)  <  r) 


and  0  <  e. 


Here  a  and  6  are  primitive  constants  and  u  is  a  variable.  In  other  words,  we  assume  that 
there  exist  real  numbers  a  and  b  such  that  f(a)  <  r  and  f(u)  >  r  for  every  real  u  greater 
than  b.  The  specification  is  illustrated  as  follows: 


If  /  is  assumed  to  be  monotonically  increasing,  the  input  condition  can  be  simplified.  But 
we  do  not  need  to  assume  that  /  is  increasing  or  even  continuous;  if  /  is  not  continuous, 
an  exact  solution  to  the  equation  f(a)  =  r  need  not  exist,  but  an  exact  solution  is  not 
required  by  the  specification. 

The  program  we  obtain  is 

so/ve(r,  0  <=  solve(() 

if  b  <  a  +  i 
then  a 

else  if  f(solve( 2e)  +  c)  <  r 
then  solve(2i)  +  ( 
else  solvc{2i) 

In  the  recursive  case,  in  which  a  +  c  <  b,  the  solve  program  is  so  closely  analogous 
to  the  previous  binary-search  programs  as  to  require  no  further  explanation. 

In  the  base  case,  in  which  b  <  a  +  c,  the  output  can  safely  be  taken  to  be  a.  For.  bv 
an  input  condition,  we  have 

/(a)  <  r 


sol  ve(()  <=  < 
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and  (by  the  other  input  condition,  because  6  <  a  +  e) 
not  [f(a  +  f)  <  r]. 

Thus,  a  satisfies  both  conjuncts  of  the  output  condition  for  solve  in  this  case. 

The  above  program  may  be  regarded  as  a  schema,  since  we  may  take  the  symbol  /  to 
be  any  primitive  function  symbol.  An  even  more  general  binary-search  program  schema 
can  be  derived  from  the  specification 

search(r ,  e)  •<=  find  z  such  that 

p(r,  z )  and  not  p(r,  z  +  c) 

9  'f  b 

where  pir,  a)  and  .,  .  ,  \  and  0  <  f, 

’  ’  [then  notp(r,  u) 

where  p  is  a  primitive  relation  symbol  and  a  and  b  are  primitive  constants.  We  obtain  the 
schema 

search(r ,  e)  4=  search(e) 

if  b  <  a  +  e 
then  a 

else  if  p(r,  search(2i)  4-  c) 
then  search(2c)  +  e 
else  search(2e) 


INTEGER  ALGORITHMS 

The  programs  we  have  discussed  apply  to  the  nonnegative  real  numbers;  using  the 
same  approach,  we  have  derived  analogous  programs  that  apply  to  the  nonnegative  inte¬ 
gers. 

Integer  square  root 

The  integer  square-root  program  is  intended  to  find  the  integer  part  of  y/n ,  the  real 
square  root  of  a  nonnegative  integer  n.  It  can  be  specified  in  the  theory  of  nonnegative 
integers  as  follows: 

isqrt(n)  <=  find  z  such  that 

z2  <  n  and  not[(r  +  1  )2  <  n] . 

In  other  words,  the  program  must  yield  a  nonnegative  integer  c  that  is  within  1  less  than 
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In  the  course  of  the  derivation,  we  are  led  to  introduce  an  auxiliary  program  to  meet 
the  more  general  specification 

isqrt(i)  <=  find  z  such  that 

z2  <  n  and  not  [(£  +  i)2  <  n] 

where  0  <  i. 

In  other  words,  we  wish  to  find  a  nonnegative  integer  z  that  is  within  i  less  than  y/n. 
This  auxiliary  specification  is  precisely  analogous  to  the  specification  for  the  real-number 
square-root  auxiliary  sqrt(e),  with  i  playing  the  role  of  the  error  tolerance  e. 

The  motivation  for  introducing  the  auxiliary  is  as  follows.  In  the  derivation  of  the 
main  program  isqTt(n),  we  have  the  initial  goal 


z2  <  n  and  not  [( z  +  l)2  <  n] 


By  resolving  this  goal  with  itself  and  transforming,  we  obtain  the  new  goal 


if  (z  +  l)2  <  n 
then  z  +  1 
else  z 


This  subgoal  is  a-replica  of  the  original  goal,  obtained  by  replacing  the  term  1  with  2 
and  the  variable  z  with  z.  This  suggests  introducing  the  new  auxiliary  isqrt(i),  whose 
parameter  i  takes  the  place  of  the  replaced  term  1  in  the  initial  goal.  The  input  condition 
0  <  i  for  the  auxiliary  is  introduced  incrementally,  while  the  derivation  of  isqrt(i)  is  in 
progress. 

The  programs  we  obtain  to  meet  these  specifications  are 
isqrt(n)  <=  isgrt(l) 

if  n  <  i 
then  0 

isqrt(i)  <=  else  */  [wgrt(2t)  +  i] 2  <  n 
then  isqrt(2i)  +  i 
else  isqrt{2i ) 


Integer  quotient 

The  integer  quotient  program  can  be  specified  similarly: 

quot(m,  n)  <=  find  z  such  that 

z  ■  n  <  m  and  not  [(;  +  l)-n  <  m] 

where  0  <  n. 
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In  other  words,  we  wish  to  find  a  nonnegative  integer  z  that  is  within  1  less  than  m/n, 
the  real-number  quotient  of  m  and  n. 


In  the  course  of  the  derivation,  we  are  led  to  introduce  an  auxiliary  subprogram  to 
meet  the  more  general  specification 

quot(i)  <*=  find  £  such  that 

£  •  n  <  m  and  not  [(£  -f  i)  •  n  <  m] 
where  0  <  n  and  0  <  i. 

In  other  words,  we  wish  to  find  a  nonnegative  integer  £  that  is  within  i  less  than  m/n. 


The  programs  obtained  to  meet  these  specifications  are 
quot(m,  n)  <=  guot(l) 


quot(i)  <=  r 


if  m  <  i  ■  n 
then  0 

else  if  [ quot(2i )  -j-  i]  •  n  <  m 
then  quoi(2i)  +  i 
else  quot(2i ) 


Here  too  the  derivation  is  analogous. 


THE  LAMBO  FUNCTION 


The  function  lambo  is  a  nonnegative-integer  approximation  for  the  inverse  of  a  given 
nonnegative  integer  function  /.  We  assume  that  /  has  the  following  properties: 

/  is  monotonically  increasing,  i.e., 

if  u  <  v 

then  f(u)  <  f(v), 
f  is  unbounded,  i.e., 

(3/0[*  </(*)], 

for  all  nonnegative  integers  u  and  v.  Here  h  also  ranges  over  the  nonnegative  integers. 


The  specification  for  the  desired  program  is 

lambo(n)  <j=  find  z  such  that 

n  <  f(z)  and 

(Vg)[if  9  <  2  tfien  f(g)  <  n]. 
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In  other  words,  lambo(n)  is  the  least  nonnegative  integer  z  such  that  n  <  f(z).  Note  that 
this  specification  depends  on  the  given  function  /:  for  a  different  function  /,  we  obtain  a 
different  specification  and,  presumably,  a  different  program. 

A  linear-time  lambo  program  was  derived  by  Dijkstra  [82],  who  used  transformations 
of  that  program  to  provide  a  novel  proof  of  a  theorem  of  Lambek  and  Moser — hence  the 
name  of  the  function.  The  derivation  of  a  lambo  program  was  posed  as  an  exercise  for 
participants  at  the  1985  Workshop  on  the  Specification  and  Derivation  of  Programs,  in 
Marstrand,  Sweden.  A  construction  analogous  to  our  square-root  derivation  turns  out  to 
yield  a  binary-search  lambo  program.  We  outline  that  derivation  briskly  here. 


We  begin  with  the  tableau 


Here  g(z )  is  a  skolem  function  obtained  by  eliminating  the  quantifier  (V5)  from  the  spec¬ 
ification.  The  unboundedness  of  /  is  expressed  by  the  assertion 


where  h  is  a  skolem  function  introduced  to  eliminate  the  quantifier  (3 h).  (Note  that, 
by  duality,  existential  quantifiers  in  assertions  are  treated  in  the  same  way-  as  universal 
quantifiers  in  goals.)  The  monotonicity  of  /  is  not  represented  by  an  assertion;  it  is 
declared,  and  treated  by  the  special-relation  rules. 

Using  the  property  of  the  nonnegative  integers 

not  (u  <  0), 

taking  z  to  be  0,  we  reduce  our  initial  goal  1  to 

3.  n  <  /( 0)  0 

In  other  words,  in  the  case  in  which  n  <  /( 0),  our  original  goal  is  true  and  the  output  0 
meets  the  specification. 

Returning  to  our  initial  goal  1,  using  the  property 
u  <  v  +  l  =  u  <  v. 


we  can  develop  the  goal 
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4.  f(z')  <  n  and  n  <  f(z'  +  1) 


2'  +  1 


From  an  intuitive  standpoint,  if  this  goal  is  true  for  some  z ',  the  original  goal  1  is  true, 
taking  z  to  be  z'  +  1.  For  then  n  <  f(z'  +  1)  and,  if  we  assume  that  g(z'  +  1)  <  z'  +  1,  we 
have  g(z'  +  1)  <  z'  (by  the  property),  hence  f(g(z'  +  1))  <  f{z')  (by  monotonicity),  and 
hence  f(g(z'  +  1))  <  n  (by  goal  4  and  transitivity).  Thus,  both  conjuncts  of  the  initial 
goal  1  are  true.  In  the  system,  the  goal  is  obtained  by  a  special- relation  rule. 


Goal  4  is  analogous  to  the  initial  goals  of  our  other  derivations.  Theory  resolution  of 
the  goal  with  itself,  invoking  the  property 

u  <  v  or  v  <  u, 

yields  the  new  goal  (after  transformation) 


if  f(z  +  1)  <  n 

5.  /(i)  <  n  and  n  <  f(z  +  2) 

then  z  - f  2 
else  i+1 

This  is  a  replica  of  our  previous  goal  4,  obtained  by  replacing  the  constant  1  with  the 
constant  2.  This  suggests  forming  an  auxiliary  subprogram,  which  we  shall  call  limbo{i), 
with  output  condition 

f(z)  <  n  and  n  <  f(z  +  t). 

Two  input  conditions, 

0  <  i  and  /(0)  <  n, 

are  introduced  incrementally  during  the  derivation  of  limbo.  In  short,  the  ultimate  spec¬ 
ification  for  the  subprogram  is 

limbo(i)  <=  find  z  such  that 

f{z)  <  n  and  n  <  f(z  +  i) 
where  0  <  t  and  /( 0)  <  n. 

An  assertion  describing  the  auxiliary  limbo  is  introduced  into  the  main  tableau;  we 
can  then  complete  the  main  derivation,  obtaining  the  program 

(ifn<  /( 0) 
lambo(n)  ^  <  then  0 

(  else  limbo(l)  +  1. 

The  derivation  of  the  auxiliary  limbo  closely  resembles  the  other  binary-search  deriva¬ 
tions.  We  obtain  the  program 
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if  n  <  f(i) 
then  0 

limbo(i)  else  if  f  [limbo(2i)  +  i)  <  n 

then  limbo(2i)  +  i 
else  limbo(2i) 

(As  usual,  the  three  recursive  calls  can  be  combined  by  common- subexpression  elimination 
and  the  program  can  be  transformed  into  an  iterative  equivalent.) 

The  well-founded  relation  that  serves  as  the  basis  for  the  induction  (and  the  termi¬ 
nation  argument)  is  again  the  bounded-doubling  relation  ~<bd(y)-  The  upper  bound  y  in 
this  case  is  h(n),  where  h  is  the  skolem  function  in  the  unboundedness  assertion 

u  <  f{h(u)). 

(Therefore,  h(n)  is  an  argument  that  will  force  /  to  exceed  the  given  integer  n.)  For, 
intuitively  speaking,  if  the  parameter  i  of  limbo  exceeds  this  upper  bound,  that  is,  if 

h(n)  <  i, 

we  have 

!{h(n))  <  f(i) 

(by  the  monotonicity  of  /)  and  hence 

n  <  /(*) 

(by  the  unboundedness  assertion  and  transitivity).  In  this  case,  the  limbo  program  exits 
via  the  base  case;  the  recursive  call  is  not  executed.  Consequently,  the  upper  bound  on  i 
is  maintained  whenever  the  recursive  call  is  executed,  and  termination  is  not  endangered. 
In  the  derivation,  of  course,  this  argument  is  conducted  within  the  rules  of  the  system. 

Note  that,  in  this  example,  the  choice  of  the  well-founded  relation  -<bd(k{n))  depended 
on  the  skolem  function  h.  This  function  is  not  primitive;  we  are  told  that  an  argument 
exists  that  will  cause  /  to  exceed  the  given  integer,  but  we  are  not  told  how  to  compute 
such  an  argument.  For  this  reason,  the  lambo  example  has  sometimes  been  regarded  as  a 
challenge  to  systems  that  extract  programs  from  purely  constructive  mathematical  proofs 
(e.g.,  Martin-Lof  [79],  Sato  [79],  Nordstrom  and  Smith  [84],  Bates  and  Constable  [85]).  In 
such  a  system,  a  quantity  exists  only  if  we  have  the  means  to  compute  it.  Here  we  deal 
with  a  quantity  that,  we  are  told,  exists  —  but  we  have  no  means  to  compute  it;  however, 
we  do  not  need  such  a  computation,  because  the  quantity’s  precise  value  has  no  bearing 
on  the  output. 
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9.  CONCLUSION 


The  examples  in  this  paper  serve  to  illustrate  the  application  of  the  deductive- tableau 
system.  In  a  more  general  sense,  they  suggest  ways  in  which  a  mechanical  system  might 
invent  a  novel  programming  concept. 

The  results  of  this  investigation  run  counter  to  our  usual  experience.  It  is  common 
for  a  bit  of  apparently  simple  and  intuitively  straightforward  reasoning  to  turn  out  to  be 
difficult  to  formalize  and  even  more  difficult  to  duplicate  automatically.  Here  the  opposite 
is  true:  an  idea  that  requires  a  substantial  leap  of  human  ingenuity  to  discover  is  captured 
in  a  few  easy  formal  steps.  We  may  consequently  imagine  that  truly  original  ideas  will 
arise  from  the  fortunate  application  of  simple  mechanisms. 
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